tag 611229 +moreinfo thanks On Thu, Jan 27, 2011 at 12:23:24AM +0000, ian wrote:
> After upgrading from 2.1.3-2 to 2.1.5-3 ejabberd fails to authenticate > any users. We are using LDAP. A downgrade fixes the issue. [...] > however when an admin user attempts to log in via the web interface it > returns an error: > > =ERROR REPORT==== 2011-01-26 22:36:38 === > E(<0.519.0>:ejabberd_auth:256) : The authentication module ejabberd_auth_ldap > returned an error > when checking user "ian" in server "example.com" > Error message: {{case_clause, > {'EXIT', > {function_clause, > [{eldap,'and', > [{'or', > [{equalityMatch, > {'AttributeValueAssertion',"objectClass", > "exampleUser"}}, > {equalityMatch, > {'AttributeValueAssertion',"objectClass", > "exampleIT"}}]}]}, [...] > [{eldap_filter,parse,2}, [...] > =ERROR REPORT==== 2011-01-26 22:36:38 === > W(<0.519.0>:ejabberd_web_admin:220) : Access of "i...@example.com" from > "10.4.1.241" failed with error: "inexistent-account" [...] > {auth_method, ldap}. > {ldap_servers, ["alpha.ldap.example.com", "ldap.example.com"]}. > {ldap_base, "ou=users,dc=example,dc=com"}. > {ldap_uids, [{"mail", "%u@%d"}]}. > {ldap_filter, "(&(|(objectClass=exampleUser)(objectClass=exampleIT)) > (|(accountStatus=active)(accountStatus=migrate)) )"}. Could you please remove the spaces embedded into ldap_filter's value, retry and report back if it fixes the problem for you? The idea is that according to my cursory reading through RFC 4515 [1], it does not allow whitespace before/between/after assertions in the "filter compositions" (in fact, anywhere except in the values, it seems), and LDAP parser has been changed in 2.1.5 (or 2.1.4, I can't recall) to allow usage of the so-called extensible matching rules in the filter. That change could, in principle, fix LDAP filter parsing rules as a byproduct invalidating your ldap_filter. 1. http://tools.ietf.org/html/rfc4515 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org